New October Ransomware Attack Hits Endpoints as “Unknown” File Phishes for Victims

October 27, 2017 | By Comodo

Comodo Threat Intelligence Lab discovered a new October phishing campaign with the infamous IKARUSdilapidated Locky ransomware payload, marking the 4th hybrid of this evolving 2017 threat.

The hackers use a botnet of “zombie” computers under their control to coordinate a social engineering-based phishing attack targeting businesses and individuals. Emails hitting tens of thousands of endpoints as “unknown” files bypassed malware signature-based IT security and even machine learning-based artificial intelligence tools.

The botnet has a social engineering aspect, with users receiving an email with the subject line “Supplemental payment”. As with the other three IKARUSdilapidated attacks from August and September, clicking the attachment ultimately encrypts the victims’ computers and demands a bitcoin ransom.

Here is a detail of an actual e-mail from the first day of the attack.

The targeted campaign ran primarily from October 11-13, 2017.

This malware is distributed with the “.asasin” extension and a Visual Basic Script (and has a “.vbs” extension). All four waves of the IKARUS dilaptidated attacks were designed with enough new code to fool security administrators and their machine learning algorithms and signature-based tools. The social engineering variations were interesting, aimed to fool the employees receiving the emails as well.

In the attacks, “.vbs” files are distributed via email. This shows that malware authors are developing variations to reach more users at firms that allow new, unknown files to enter their infrastructure through the endpoint. This unfortunately includes many firms in the F1000 as well as small- and medium-sized enterprises.
The victims here see the ransomware demand screen so familiar to the victims of the first three waves of IKARUSdilapidated Locky attacks during the summer and September.

Looking closer at one view of the ransom screen, you see that they invoke Wikipedia as a means for the victim to learn more about the encryption ciphers:

Here is a heat map of the October 11 attack, showing its global range.

Locations in India, Vietnam, Iran and Brazil were the primary recipients.

ISPs in general were co-opted heavily, which points again to both the sophistication of the attack and inadequate cyber-defense against new malware arriving at their endpoints.

Here are the leading range owners detected in the “Supplement payment” attack:

Range Owner

Sum – Count Of Emails

Airtel Broadband

872

Vietnam Posts and Telecommunications(VNPT)

730

Viettel Corporation

530

FPT Telecom Company

438

Bharti Airtel

411

Here you can see a sample of the scripting, which is quite different than that used in theSeptember 2017 attacks.

Phishing and Trojan experts from the Comodo Threat Intelligence Lab (part of Comodo Threat Research Labs) detected these “Locky” ransomware attacks and verified that they began on October 11. More than 10,367 instances of phishing emails were detected at Comodo-protected endpoints in first three days. The attachments were read as “unknown files,” put into containment, and denied entry until they were analyzed by Comodo’s technology and, in this case of A.I.-eluding sophisticated new malware, Comodo Threat Intelligence Lab human experts.

The Lab’s analysis of emails sent in the “Supplement payment” phishing campaign revealed this attack data: 9,177 different IP addresses being used from 143 different country code top-level domains maintained by the Internet Assigned Numbers Authority (IANA).

Amazingly, when the Lab analyzed the sources and compared them to the IP addresses that participated in the last three campaigns, 546 of the same IP addresses were used along with 8,631 different IP addresses utilized in this attack. This is another sign of either under-resourced or inadequately trained IT security staff (or likely both).

“The attacks from these hackers will continue as long as firms continue to utilize the inadequate strategies and tools from legacy vendors.” said Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL). “The unknown file problem is getting worse and we strongly encourage CSOs to reevaluate their “default allow” security posture and to evaluate next generation auto-containment and other isolation technologies which protect against new or newly malware like that used in these IKARUS Locky attacks.”

Want a deeper dive into the attack data? Check the new Comodo Threat Intelligence Lab’s “SPECIAL REPORT: OCTOBER 2017 – OCTOBER BRINGS 4TH WAVE
OF RANSOMWARE ATTACKS; “.ASASIN” EXTENSIONUSED FOR ENCRYPTED FILES” The Special Report is one of many included with a free subscription to Lab Updates at https://comodo.com/lab. It provides in-depth coverage of this attack, with more analysis and with appendices that include malware analysis and more detail on the sources and machines used in the attacks. Your Lab Updates subscription also includes Parts I, II, and II of the “Special Report: IKARUSdilapidated Locky Ransomware” series and also provides you with the Lab’s “Weekly Update” and “Special Update” videos. Subscribe today at comodo.com/lab.

NOTE FOR MEDIA INQUIRIES: If you’d like to speak with the Comodo Threat Intelligence Lab’s experts on this and the related threats and technologies, please contact: media-relations@comodo.com

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now